Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-2118: Update Spring Security 3.1.x to work with Spring Framework 3.2.0 in a OSGI container #2343

spring-issuemaster opened this Issue Jan 9, 2013 · 16 comments


None yet
2 participants

Wim Bervoets (Migrated from SEC-2118) said:

The MANIFEST.MF file in the the 3 Spring Security jars contains Import-Package declarations with a version range that excludes Spring 3.2.0.RELEASE

(eg. org.springframework.beans;version="[3.0.7.RELEASE, 3.2.0)")
In an OSGI environment where Spring 3.2 is deployed, the Spring Security bundle can't be deployed as the Import Packages doesn't include 3.2.0 in the version range.

In attachment you can find patched jars with an update MANIFEST.MF

Wim Bervoets said:

I don't understand the the type was changed to Improvement. It is a bug (eg. impossible to use Spring Security with Spring 3.2 in an OSGI environment)

Armin said:

@wim Bervoets did you test the bundles that you patched ? Do they work for you ? If yes what environment are you using, because I have some issues using them with Virgo 3.6.

Any news about a release date for Spring Security that will work with the Spring Framework 3.2 in OSGI ?

Wim Bervoets said:

@armin, yes they are working for us. These are the only 3 jars we're using from spring security, maybe you need to patch some additional ones.

The only change is in the MANIFEST.MF files in the Import-Packages section. Eg. Spring Beans 3.2 is excluded by
org.springframework.beans;version="[3.0.7.RELEASE, 3.2.0)

I've changed it to org.springframework.beans;version="[3.0.7.RELEASE, 3.3.0)

We use Apache Felix OSGI container

Rob Winch said:

It was changed to enhancement because Spring 3.2 was not released at the time. Updating to support Spring 3.2 in an OSGi environment is no different than updating to support any other framework.

Rainer Burgstaller said:

wbervoets: at least the web package is still excluding the 3.2.0 versions for org.springframework.jdbc.core, org.springframework.expression. So your attached files won't work.

Rainer Burgstaller said:

Attached is the corrected web jar

Rob Winch said:

Thank you for the submission. This is now fixed.

Craig Foote said:

Am I seeing the same problem with org.springframework.security.remoting_3.1.3.RELEASE with an Import-Package on org.springframework.
remoting.httpinvoker;version="[3.0.7.RELEASE, 3.2.0)" from org.springframework.web but not compatible with version 3.2.1? Anyone have a patched version for that?


Rob Winch said:

There is no target date for Spring Security 3.1.4 at this time. This is due to the fact that

  • There are only a limited number of bugs at this time (none of which are viewed as critical). We do not like to release with very few tickets closed as this makes work for all our users without providing much value to them. Note that this ticket is not really considered a bug (it is an enhancement because Spring 3.2 did not exist when Spring Security 3.1.3 was created)
  • Most importantly, there is a focus on getting Spring Security 3.2 out the door as it impacts more users. The stable of Spring Security 3.2 is targeted for early Q3

Wim Bervoets said:

@rob, let's agree we differ opinion on the type of ticket (for us it is a critical bug as one would expect that the latest stable version of Spring security can be used with the latest stable spring framework version; there are no docs that say otherwise)
Why not make the Spring Security 3.1.x branch more stable then it already is, so we don't need to create patched jars :-) For most of your users it'll be only updating a version tag in Maven pom.xml file...

Rob Winch said:

Due to the popularity of this issue, we will be making a 3.1.4 release sometime next week. The OSGi version will be following within a week of the release. I understand that the delay with the OSGi version is not ideal, but given our current situation this is the best we can do. Please stay tuned to this issue and/or springsource.org for the release announcement. I will also post on this ticket when additional information about the OSGi version becomes available.

Rob Winch said:

We have released 3.1.4, and expect the OSGi version later this week. See http://www.springsource.org/node/22598

Rob Winch said:

You can now find the 3.1.4 release in the EBR

Wim Bervoets said:

Thanks, works great :)

@spring-issuemaster spring-issuemaster added this to the 3.2.0.M2 milestone Feb 5, 2016

This issue duplicates #2359

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment